Re: Mailing list questions (DMARC, ARC, more?)

2022-09-01 Thread Alessandro Vesely
On Mon 29/Aug/2022 12:09:10 +0200 Matus UHLAR - fantomas wrote: On 25.08.22 18:10, Alessandro Vesely wrote: The lack of interest by others proves that From: munging is not so much of a nuisance as they say... This will come sooner or later, however: earlier this year I've done small dmarc r

BIND 9.18.6 disables RSASHA1 at runtime?

2022-09-01 Thread Anand Buddhdev
Hi BIND developers, The release notes for 9.18.6 say: "The DNSSEC algorithms RSASHA1 and NSEC3RSASHA1 are now automatically disabled on systems where they are disallowed by the security policy (e.g. Red Hat Enterprise Linux 9)." Does this happen at runtime when BIND starts? If an administra

Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bhangui, Sandeep - BLS CTR via bind-users
Hi We are running Bind Version 9.16.31 on RHEL 7.X Server and things are working fine in general. Having issue with DNS resolution for www.ssa.gov no other DNS issues reported at this time. Our DNS server cannot seem to resolve www.ssa.gov using nslooku

Re: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread John W. Blue via bind-users
Sandeep, Are you all using CISA's Protective DNS? If so, there might be a ruleset that is causing problems. If not, and I have not checked, but is DNSSEC for SSA working correctly? John Sent from Nine From: "Bhangui, Sandeep - BLS CT

Re: BIND 9.18.6 disables RSASHA1 at runtime?

2022-09-01 Thread Mark Andrews
Yes. You will need to restart the server. That all said if you are signing zones using RSASHA1 or NSEC3RSASHA1 you should transition to a newer algorithm if you want to have your zone validated by as many as possible. -- Mark Andrews > On 1 Sep 2022, at 22:59, Anand Buddhdev wrote: > > Hi

Re: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bjørn Mork
www.ssa.gov is a separate zone according to the ssa.gov NS: bjorn@idefix:~$ dig ns www.ssa.gov @dns1.ssa.gov ; <<>> DiG 9.16.27-Debian <<>> ns www.ssa.gov @dns1.ssa.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56002 ;; flags: qr rd; QUERY: 1, ANSW

RE: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bhangui, Sandeep - BLS CTR via bind-users
John, We have not moved to PDNS as yet. I am not sure about DNSSEC for SSA will check on that. Thanks Sandeep From: bind-users On Behalf Of John W. Blue via bind-users Sent: Thursday, September 1, 2022 5:03 PM To: bind-users@lists.isc.org Subject: Re: Issue with dns resolution for www.ssa.gov

RE: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bhangui, Sandeep - BLS CTR via bind-users
Thanks Bjorn. This indeed looks like a mess up from SSA side. Sandeep -Original Message- From: bind-users On Behalf Of Bjørn Mork Sent: Thursday, September 1, 2022 5:26 PM To: BIND users Subject: Re: Issue with dns resolution for www.ssa.gov CAUTION: This email originated from outside

RE: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Bhangui, Sandeep - BLS CTR via bind-users
If I go to my personal computer or my personal phone ( not on VPN connected to BLS network or using BLS resources) I can get to the site www.ssa.gov which I would mean to believe that it is able to resolve www.ssa.gov. Does that mean the dns resolution for www.ssa.gov is not broken globally as

Re: Issue with dns resolution for www.ssa.gov

2022-09-01 Thread Mark Andrews
Just because a broken configuration “works” some of the time for some people, that doesn’t mean that it is not broken. RFC 1034 says: "The domain system provides such a feature using the canonical name (CNAME) RR. A CNAME RR identifies its owner name as an alias, and specifies the corresponding